A significant cyber campaign, believed to be the work of the FIN11 threat actor, has targeted customers of Oracle’s E-Business Suite (EBS) enterprise resource planning solutions. The operation, which began with extortion emails sent to executives in late September, has now seen the criminals name nearly 30 organizations allegedly impacted. The attacks were publicly claimed by the notorious Cl0p (aka Clop) ransomware group. This choice was likely strategic, leveraging Cl0p’s history with similar high-impact campaigns against file transfer products like MOVEit and Cleo to add pressure to the victims.
To date, twenty-nine alleged victims of the Oracle EBS hack have been publicly listed on the Cl0p leak website. Some organizations, such as Harvard University, South Africa’s Wits University, and American Airlines subsidiary Envoy Air, confirmed they were impacted shortly after being named by the attackers in mid-October. Last week, The Washington Post also confirmed it had been successfully targeted in the campaign, though no details were shared publicly. The list of alleged victims is diverse, spanning various critical sectors including mining, professional services, manufacturing, transportation, technology, and energy, with industrial giants like Schneider Electric and Emerson also named.
However, a majority of the alleged victims have not yet publicly confirmed suffering a data breach. Many are likely conducting sensitive internal investigations and may be hesitant to share information until those probes are completed. Alternatively, based on patterns from past Cl0p attacks, some organizations may simply be opting for silence to avoid public scrutiny and the associated fallout. Despite attempts by SecurityWeek to reach out for comment to major companies on the list, including Logitech and Cox Enterprises, none have responded, suggesting a coordinated silence among many of the accused victims.
The cybercriminals have gone beyond simply listing names by leaking data allegedly stolen from 18 victims, with the volume of published files ranging from hundreds of gigabytes up to several terabytes in some cases. A limited structural analysis of some of these leaked files has led to the conclusion that they likely originated from an Oracle environment, lending credibility to the attackers’ claims. While it’s unlikely that organizations have been falsely listed, based on Cl0p’s history, the hackers may sometimes list a parent company even if a smaller subsidiary was the actual target, or exaggerate the value of the compromised data.
The exact Oracle EBS vulnerabilities exploited in this campaign remain unclear, but the most likely candidates are CVE-2025-61882 and CVE-2025-61884. Both vulnerabilities are critical as they can be exploited remotely without authentication to gain access to sensitive data. Notably, exploitation of CVE-2025-61882 appears to have begun at least two months before the official patches were released, suggesting it was being actively used as a zero-day vulnerability.
Reference:
